Digital Edition

SYS-CON.TV
Linux and Security: Forrester Report Flawed, Say Four Top Vendors
Linux and Security: Forrester Report Flawed, Say Four Top Vendors

GNU/Linux vendors Debian, Mandrakesoft, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?" - here's the full text, released yesterday:

Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.

We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:

We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.

Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.

Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.

We believe the report does not treat the open source vendors and single closed source vendor in the same way. Open Source Software (OSS) is known for its variety and its freedom of choice amongst the standards it defines. Multiple implementations of these standards are typically offered for both desktop and server use, which gives users the freedom to select software based on their own criteria rather than those of the vendor. The openness, transparency and traceability of the source code is added value in addition to the larger variety of software packages available. Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents.

signed,

Noah Meyerhans, Debian
Vincent Danen, Mandrakesoft
Mark J Cox, Red Hat
Roman Drahtmueller, SUSE

Additional Information:

Javier Fernández-Sanguino Peña composed a survey in 2001[*] and discovered that it has taken the Debian security team an average of 35 days to fix vulnerbilities posted to the Bugtraq list. However, over 50% of the vulnerabilities where fixed in a 10-days time frame, and over 15% of them where fixed the same day the advisory was released! For this analysis, all vulnerabilities were treated the same, though.

He has rerun the survey based on vulnerabilities discovered between June 1st 2002 and May 31st 2003 and found out that the median value of delays between the disclosure and releasing an advisory including a correction was 10 days (average is 13.5 days). Again, for this analysis advisories were not classified with different priorities.

* http://lists.debian.org/debian-security-0112/msg00257.html
http://people.debian.org/~jfs/debconf/security/data/

About Linux News Desk
SYS-CON's Linux News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

It seems to me that there is an analogue between the IT world and biology; If an organism is susceptible to a particular virus then all identical organisms can be affected/infected/destroyed - MS windows/outlook. Diversity however offers a measure of inherent protection - Mandrake/Suse/RedHat etc. they are all Linux and are interoprable (lets make sure that continues ) but are sufficiently diverse so as to present a defence against one version of a virus. Maybe some biologist can correct me on this ( or maybe some MS sponsered empirical study of micro-orgainsms on Mars)

This is all just one big tennis game...

Every time you read something that praises Linux and the
Open Source community, it is only a matter of time before Microsoft or one of it's statistic happy puppets come out
with an article, statement or press release to slander
and spread FUD around Linux.

If someone finds and publicizes a Windows security a flaw,
it is only a matter of hours before someone follows up with
a Linux bashing statemtent.

I guarantee if no-one ever found anything to bitch about
with Microsoft products, you would never hear any Linux
bashing. (Too bad there's soooooooo much to bitch about
in Microsof's products!)

Microsoft has to draw attention away from it's poorly
written products by slandering other products.
Slander is the only way Microsfot knows how to compete!

Because it certainly can't compete on the merits of
'quality' software!!!!!!
(a word MS should not be allowed to use)

These IT research firms should be very clear, up front, what their financial relationship is with all the parties involved.

According to this article on the Microsoft site:

"In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
While some developers care passionately about how data centers and clouds are architected, for most,...
The Internet of Things will challenge the status quo of how IT and development organizations operate...
With the proliferation of both SQL and NoSQL databases, organizations can now target specific fit-fo...
A traditional way of software development efforts reimbursing is pay by the hour, which in case of r...
More and more companies are looking to microservices as an architectural pattern for breaking apart ...
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savin...
Traditional IT, great for stable systems of record, is struggling to cope with newer, agile systems ...
Adding public cloud resources to an existing application can be a daunting process. The tools that y...
Organizations planning enterprise data center consolidation and modernization projects are faced wit...
Let’s face it, embracing new storage technologies, capabilities and upgrading to new hardware often ...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it require...
Fact: storage performance problems have only gotten more complicated, as applications not only have ...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can ...
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an ...
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloa...
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are rep...